Account Protection Integration Guide

This integration guide includes a high-level overview of integration points, workflow, and detailed technical specifications for relevant SDKs and the corresponding API.

Login Event Workflow

The login workflow begins with data collection from the browser application or from the mobile SDK. The Kount browser data collector is a JavaScript SDK downloaded at runtime. Our mobile SDK can be integrated into your mobile application. Only one data collection should be made per session.

After your end user’s sign-in credentials have been posted to your authentication service, there are two paths:

  • Valid Credentials — If your end user presented valid credentials, you POST to the Kount Login API prior to granting access. The response to this API call is Allow, Block, or Challenge. Depending on the response and based on your policies, you can either allow access, deny access, or challenge your end user using the Kount MFA or your existing step-up authentication.

  • Invalid Credentials — If your end user fails authentication, you decline access and POST to the Failed Attempt API.

Device Data Collector Implementation

The Device Data Collector gathers information from a customer’s device by running client-side scripts and then sends that data to Kount. This passive analysis conceals the Kount 360 interaction with the customer and does not affect the customer’s experience. This data is one of the foundations of Kount 360 fraud protection.

The flow for device data collection follows this pattern:

2024___K360_Payments_Fraud_Integration_Diagrams_-_Session_ID_Flow.svg

The steps for Device Data Collector setup are:

  1. Generate Session ID — Generates a session ID and provides it to the Device Data Collector SDK.

  2. DDC SDK collects and sends device data — The Device Data Collector sends the collected device data to Kount 360.

  3. Submit event data
with session ID to your server — When the event data (the order, login, or new account opening data) gets submitted to your server, include the session ID that was passed to the Device Data Collector.

  4. Send event data
with session ID
to Kount 360 — Pass the session ID in the call to Kount 360, along with the rest of the event data.

  5. Associate device data and event data by matching the session ID — Kount 360 associates the device data and the event data, using the session ID that was passed to Kount 360.

Use our guided Device Data Collector Content generator or follow the steps in the Native iOS and Android SDKs article.

Device Data Collector browser recommendations

Proper placement and configuration of the browser Device Data Collector is important for gathering information to identify devices, adhere to business policies, and accurately define login risk. Incorrect placement or misconfiguration can cause limited or no data collection.

Page and Page Location

Place the Device Data Collector code in the body of the sign-in page. Kount reduces collection from the same session ID when a collection comes within 15 minutes. We recommend that you run a single data collection per session. When multiple collections are run in a single session — if the collection was placed in the header — it is possible the collection events can be mistaken as a DDOS attack, throttling all collections from your site.

Google Chrome Lazy Load

The Google Chrome Lazy Load feature defers loading images and iFrames that come below the end of the page. This feature is active when the Chrome Data Saver feature is on and when the loading attribute is set to auto or unset. If you are using the Kount legacy data collector that utilizes an iFrame, update integration or set the loading attribute to eager, which bypasses lazy loading functionality.

Content Security Policy

Kount utilizes both third-party and first-party cookies as well as device data to identify devices. In order to take full advantage of the Device Data Collector, you can make modifications to the Content Security Policy on your site. For more information on Content Security Policy, go to Content Security Policies (CSP) and the Device Data Collector.

Provisioning an API Key

Sign in to Kount 360 to authenticate your software for access to our API services.

  1. Sign in to Kount 360. There are two integration environments: sandbox and production. Only integrate into our sandbox environment if you are integrating a pre-production environment without production data.

  2. Select Admin, and then Developer.

  3. Select Options, and then Create API Key.

  4. Select Create.

  5. Expand the organization.

  6. Copy the API key and save it in a secure location.

    Note

    Use the copy button to copy the API key. If you close the window without copying the API key, you must create a new API key using the options menu. You are allowed two active API keys per customer. To create another API key after creating two API keys, delete one of the existing keys.

Creating a Bearer Token

Following the OAuth 2.0 framework, after you have provisioned your API credentials in the portal, retrieve a temporary bearer token to authenticate calls to Kount 360 API. Provide the client credentials in an HTTP POST to a specific login.kount.com URL.

With a successful exchange, the returned JSON provides a special bearer token (the access_token property), as well as an expiration date (the expires_in property, provided in seconds until expiration). The API to retrieve the bearer token varies depending if you are calling the Sandbox or Production system.

The values are:

Sandbox

Auth Server URL:

https://login.kount.com/oauth2/ausdppkujzCPQuIrY357/v1/token

API Service Host:

https://api-sandbox.kount.com

Production

Auth Server URL:

https://login.kount.com/oauth2/ausdppksgrbyM0abp357/v1/token

API Service Host:

https://api.kount.com

After obtaining the bearer token, utilize it to authenticate requests to the Kount 360 API. Include the token in the Authorization header of your HTTP API request, prefixed with Bearer {bearer token}.

To prevent authentication issues, refresh the token before it expires. Typically, tokens issued by login.kount.com expire after 20 minutes, but client credentials remain valid unless revoked. Minimize calls to the /token endpoint by implementing token expiration handling in your customer applications. Always check if a token has expired before requesting a new one, as excessive calls to the /token endpoint could result in rate limiting.

Examples of retrieving and using the bearer token in popular programming languages:

Python

Bash

TypeScript

Go

Login Abuse API Endpoints

The login workflow begins with data collection from the browser application or from the mobile SDK.

Login Abuse endpoint

When the end user logs in with valid credentials, you make a POST to the Login API to get a response with guidance Allow, Block, or Challenge.

Refer to the Login Abuse API help page for more information.

https://api.kount.com/login

Events endpoint

When the end user fails to provide valid credentials, call the Events API with failed attempt details.

When the end user receives a guidance challenge and you have your own multi-factor authentication, then update the outcome of that step up using the Events API.

Refer to the Events API help page for more information.

https://api.kount.com/events

Trusted Device endpoint

A request sent to Kount that creates a trusted device record for the specified user and the device associated with the session.

Refer to the Trusted Device API help page for more information.

https://api.kount.com/trusted-device

Secure MFA endpoint

When you receive a guidance challenge from the Login Abuse API response for an end user and multi-factor authentication (MFA) request is sent to their phone or email, the Secure MFA endpoint is used to check the status of the MFA sent to end user.

Refer to the Secure MFA API help page for more information.

https://api.kount.com/secure-mfa

Account Creation Abuse API Endpoint

The Account Creation Abuse endpoint uses the session ID created by the customer for the Device Data Collector.

Account Creation Abuse endpoint

An account creation request sent to the Account Creation Abuse API that triggers an evaluation of customer-defined policies and returns a guidance Allow, Block, or Challenge based on those policies.

Refer to the Account Creation Abuse API help page for more information.

https://api.kount.com/newaccountopening
Was this article helpful?
0 out of 0 found this helpful